Zavio IP Camera Security Vulnerabilities: A Call to Action for Users

Zavio IP cameras are popular security devices used by businesses and homeowners around the world. However, recent research has revealed that these devices contain multiple critical security vulnerabilities that could be exploited by attackers to gain remote access and control over the devices.

The vulnerabilities, which have been assigned the CVEs CVE-2023-3959, CVE-2023-45225, CVE-2023-43755, CVE-2023-39435, and CVE-2023-4249, are all stack-based buffer overflows and command injection vulnerabilities. These vulnerabilities allow attackers to execute arbitrary code on the devices, which could allow them to take complete control of the devices, steal sensitive data, or even launch attacks against other devices on the network.

The vulnerabilities, while varied, primarily revolve around stack-based buffer overflows and command injections:

1. CVE-2023-3959, CVE-2023-45225 & CVE-2023-43755 – These vulnerabilities bear a CVSS score of 9.8, a clear testament to their severity. They all relate to stack-based overflows stemming from the camera’s inability to sufficiently validate or check buffer sizes when processing XML elements from incoming requests. The consequences? Potential remote code execution by malevolent actors.
2. CVE-2023-39435 – This vulnerability, with a CVSS score of 8.8, also concerns a stack-based buffer overflow, albeit during the update of specific settings via network requests.
3. CVE-2023-4249 – Scoring 8.8 on the CVSS scale, this vulnerability differs in its nature. It involves improper neutralization of special elements used in OS commands, giving rise to a command injection vulnerability.

The affected range includes Zavio IP Cameras models such as CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220, CB6231, B8520, B8220, and CD321 – all operating on firmware version M2.1.6.05.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory warning users of Zavio IP cameras to discontinue use of the devices, as the vendor, Zavio, is no longer actively in business and therefore development for firmware fixes, mitigations, and updates are not available and will not become available.

However, if users are unable to discontinue use of Zavio IP cameras, CISA recommends that they take the following defensive measures to minimize the risk of exploitation:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
• Perform proper impact analysis and risk assessment before deploying defensive measures.

In addition to the above defensive measures, users of Zavio IP cameras should also be vigilant about monitoring their networks for suspicious activity. If any suspicious activity is detected, users should contact their IT security team immediately.